Policy | Security | Investigation

security video

August 22, 2011

I am looking for cases and stories about digital evidence that had been collected but could not be used or authenticated (or at least became open to question) on account of problems like these:

1. Investigator could not vouch for the evidence due to the investigator's death, retirement, refusal to cooperate or termination of employment.

2. Investigator committed some kind of error related to his/her securing of the evidence with a digital hash, key or signature. Example: investigator used a private crypto key to "sign" a digital evidence file, but the private key was compromised either before or after its use and therefore the trustworthiness of the evidence diminished.

October 18, 2010

Electronic commercial law (E-SIGN) is liberal as to what can serve as a legal signature. Essentially, a signature is just a symbol adopted with the intent to approve or authenticate a transaction or a record. The symbol can be as simple as the characters of a name at the bottom of an email.

But e-commerce practitioners have long fussed over how secure a signature should be. They feared that if the signature were just a typed name in an email, then the purported signer could repudiate* the signature by alleging that someone stole the password to his email account, spoofed his email address or tampered with the email record after the email was sent. Although supporting such an allegation in the context of real commercial relationships is often hard to do, the risk of the allegation still causes many lawyers and other professionals to insist that documents be signed by fax or hand-delivered paper.

But technology has changed. Webcams have become very common. They are on all new laptops, and now even smartphones like the iPhone have cameras that face the user. These webcams make video signatures easy, like this:

A webcam signature could be attached to an email that also attaches the document being signed (in the example above, the document is a non-disclosure agreement with Acme Corp.). By itself, email provides a pretty good system of records, controls and audit trails to establish from which account the email came, when it was sent and whether the record of it was tampered with. But the webcam signature adds an additional layer of reliability. It shows the signer moving his lips and speaking the words of intent to sign.

Yes, a webcam signature can be forged. But forgery is not easy amid the details of an actual commercial relationship. The forger must coordinate a fabrication of audio and video in a way that fits with the other facts of the real situation.

A webcam signature is emotionally very compelling because it involves recorded, physical activity. It’s hard to say I did not soberly, knowingly, voluntarily intend to sign the NDA.

Note one of the controls I used in the webcam signature example above. I spoke the date and time. The date and time in the video could synch up with the time stamp on the email to make a potential forger’s work all the more difficult.

Mr. Wright is the founding author of The Law of Electronic Commerce, a treatise originally published in 1991.

*Signatures are sometimes needed for proving that a particular individual approved a transaction. Experience teaches that signatures can be useful to connect an individual to a legal act. Some criminal prosecutions have failed on account of the prosecutor's inability to prove that the defendant signed a document. For example, in United States v. Larm, 824 F.2d 780 (9th Cir. 1987), an allergist was acquitted of Medicare fraud concerning claim forms he did not personally sign. In United States v. Brown, 763 F.2d 984 (8th Cir.), cert. denied, 474 U.S. 905 (1985), the conviction of a pharmacist was reversed on some counts because the government could not link him, through a signature or initials, to claims submitted to the government for brand-name drugs when generic drugs were dispensed.

September 28, 2008

Burst.com’s electronic mail records served the company well in its trade secret lawsuit against Microsoft.

Wrongful Withholding of Records?

Burst had held conversations with Microsoft in which it confidentially (under non-disclosure agreement) revealed trade secrets (nonpublic ideas of an inventor) about Burst's streaming media technology. Burst later alleged that Microsoft chose to use these trade secrets without Burst’s consent, and without compensation to Burst.

So Burst sued, claiming misappropriation of trade secrets and breach of contract. During the discovery phase of the lawsuit, Microsoft was required to reveal all of its e-mail records on the topic, and Microsoft did turn over a large number of e-mails regarding its development and use of streaming technology.

But a question arose in court whether Microsoft complied fully with the discovery requirements. Burst contended that Microsoft had wrongfully withheld some e-records or destroyed them. To support its contention, Burst produced numerous of its own email records showing particular exchanges between Burst and Microsoft, where Microsoft had produced no corresponding records on its end. Stefanie Olsen, “Microsoft ordered to uncover old e-mails,” September 10, 2003.

Microsoft's Mismanagement of Records Played to Adversary's Advantage

This mismatch in email records led the court to suspect Microsoft was being evasive. The court ordered Microsoft to sift through backup tapes in search for missing e-records (looking for electronically stored information (ESI) in network backup is a tedious and expensive process!). The court's suspicion, coupled with the order to look through backup, cast Microsoft at a strategic disadvantage, and contributed to company’s decision to settle the case and pay Burst $60 million. Tim Siglin, “Microsoft Settles Burst.com Lawsuit,” March 14, 2005.

The institution retains those three classes of data in a dedicated archival system (more than just normal production records and backup).

East Carolina retains e-mail of top school administrators seven years, then purges it. In my experience, seven years is the traditionally-recognized period for responsible retention of important financial records.

To reduce costs, the university retains archives in tiers. Newer or higher-priority archives are in higher-performance "primary" storage, whereas older archives are relegated to slower storage, outside the network backup program.

On the topic of tiers, I’ll go one step further than what I read about East Carolina U. I envision another, even lower and less expensive tier, where archives are retained and organized but not accessible by fully-automated means.

From the perspective of e-discovery theory, a rationale for tiered storage is this: E-discovery law is most intolerant when records are destroyed too early. In the e-records world, too-early destruction is the most common type of "spoliation" or "obstruction of justice". E-discovery law is also intolerant (but maybe a bit less so) when a litigant possesses records, but she doesn’t know it and can’t find them.

Finally, e-discovery law seems to be more tolerant when a litigant possesses records, knows she possesses them, knows more or less where they are, but just can't get to them very easily. When this is the case in a lawsuit, a litigant is much less likely to be charged with spoliation. Instead, the plaintiff and defendant are prone to go before the judge and argue about the extent to which the dusty old e-archives are important and about who should pay for how much of the cost of retrieving them.

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.